Latest Crypto related questions

As my survey, most of(I am not sure if it is "all") the constructions of VRF are instantiated with the use of pairing. Can we construct a VRF without using pairing?

A message, m is encrypted using a private key d.

p = prime()
q = prime()
e = 65537
c = pow(m, e, n)
PHI = (p-1)*(q-1)
d = mod_inverse(e, PHI) 

Assume all these values are known to the attacker, except for the message (m) and ciphertext (c).

Is it possible to find an alternate value for d such that:

c ^ d_alternative % n == m (the ciphertext decrypts correctly to the message)

And

d_alternative % PHI ...

I want to find the curve points that intersects an arbirtary line, not just tangent line or a line through curve points. An example:

p = 1303
b = 7

input : arbitrary points : (1, 1),(2, 2)
output : curve points : (319,319),(356,356),(629,629)

(319,319) 319^3+7 ≡ 319^2 ≡ 127 (mod p)
(356,356) 356^3+7 ≡ 356^2 ≡ 345 (mod p) 
(629,629) 629^3+7 ≡ 629^2 ≡ 832 (mod p)

The line should wrap aroun ...

I've been trying to get a grasp of how the Signal protocol works. According to the spec, DH is done on four keys: IK_A, SPK_B, EK_A and IK_B:

If the bundle does not contain a one-time prekey, she calculates:

    DH1 = DH(IK_A, SPK_B)
    DH2 = DH(EK_A, IK_B)
    DH3 = DH(EK_A, SPK_B)
    SK = KDF(DH1 || DH2 || DH3)

Given that all these four keys are public keys and are announced through untrusted  ...

Given the following information:

"curve": "P-256",

"qx": "729C51D177EBE2079A0FB7B0B3C2145159CF81EC61960E642A1744719AA9F913",

"qy": "8C36BCF51475016E614F8C7E0CB1B37C7EA65B4ECCF809852C9B2D0E438710BD"

The above coordinates are supposedly valid as per the test vector expected results:

"testPassed": true

I need to determine if the above public key coordinates are valid points on the curve or not. I have t ...

Is there any concrete group in which one CDH is exponentially easier (even it's still hard) than DLog.

There is a proof sketch in Introduction to modern cryptography that a three-round feistel network using pseudorandom round functions is a secure pseudorandom permutation PRP Πk against probabilistic polynomial time adversaries which have access to Πk. Now my confusion is to turn the proof sketch into a formal security arguments?

My question is very basic one. Suppose $a_0, a_1, a_2, a_3, a_4, b_0, b_1, b_2, b_3, b_4$ are $10$ uniform random variables from $\{0,1\}$ independent of each other. Now there are expressions of the form

1. $a_4b_4 + a_3(b_0 + b_2+1) + b_3(a_0 + a_2 +1) + a_1(b_2 + b_4) + b_1(a_2 +a_4)$
2. $a_2b_0 + a_1b_1 + (a_0 + a_2 +1)b_2$

Can we apply Pilling up lemma? Or alternatively are the random variables $a_4b ...

In key agreement (or key exchange) protocols, is used signature for authentication. Suppose that key exchange protocols execute on elliptic curve. The initiator of protocol must sends signature of his message with main message. What happen if the curve used in key agreement protocol also used in signature inside of protocol?

For example in Diffie-Hellman key exchange over curve, Alice sends $aP$ and  ...

I realize this depends on my implementation and the implementation of the libraries I use. I am asking about my process assuming that the encryption libraries and my code are not flawed/compromised, the user's password is secure and the machine is not compromised.

The goal here is to protect the confidentiality of the files with a password, and be able to encrypt them without entering a password. ...

I am trying to build a simulated enigma machine.I am basing it off of this one https://www.101computing.net/enigma-machine-emulator/

I have setup the 3 rotors and I am having trouble understanding the rings and rotations. For example I have set the rotors to III,II,I with the 3rd rotors having a ring setting of AAB. If you enter and A then the output is a N. My simulator agrees with this.Then if  ...

For unknown group order such as RSA groups $ G %$, it takes $T$ sequential steps to compute the below function (time-lock puzzle).

$$ y = g^{2^T} mod N$$

This paper states that if $ /Phi(N) $ (Group order) is known, it takes only two exponentiation to compute $y$.

$$ e = 2^T mod |G| $$ $$ y = g^e $$

I am not sure I understand how these two results are equivalent.

Facebook plan a new cryptocurrency release called Diem. What algorithms are used? What output size is used for the hash function?

I need to implement a PSI that will be used on mobile devices to find mutual contacts. Assuming the set cardinality from both parties A and B are less than 1000, what would be the most efficient PSI protocol that I can use in such a scenario without involving a third party? Would it be possible to extend this protocol for multi-party PSI?

Hi I have a doubt at the end of the proof of the RAPPOR Algorithm, when they say the sensitivity is maximized when $b'_{h+1}=b'_{h+2}=...=b'_{2h}=1$ and $b'_{1}=b'_{2}=...=b'_{h}=0$. I don't understand if the maximized is define as the ratio of probabilities or comes from the definitions of sensitivity in differential privacy.

Link Paper: https://static.googleusercontent.com/media/research.google.com ...